Dappy specifications
  • Introduction
  • Specs and web standards
    • Name system
    • Authorized characters for names / IDNA
  • Sections specific to browser and web applications
    • Cookies
    • Cross-origin resource sharing (CORS)
    • TLS / encrypted traffic only and HSTS
    • Content Security Policy (CSP)
  • Glossary
    • Dappy Network and network members (or agents)
    • Co-resolution
    • Dappy protocol
    • Dappy browser
    • Traditional or regular web browsers
    • IP application
    • Dapp
Powered by GitBook
On this page

Was this helpful?

  1. Sections specific to browser and web applications

Content Security Policy (CSP)

PreviousTLS / encrypted traffic only and HSTSNextDappy Network and network members (or agents)

Last updated 3 years ago

Was this helpful?

CSP is a great feature of modern browser, it is 100% supported by dappy. A major difference though is that the web servers have no control over it, the CSP is not defined by the HTTP headers on the first top level navigation request, neither are they defined by html meta tags.

CSP rules are defined at the name system level, making it rock solid and impossible to change by any MITM attack or server intrusion.

See

An example of a value csp in the configuration for a record mysite:

{
  "values": [
    ...,
    {
      "kind": "csp",
      "value": ""default-src 'self' mysite; script-src https://mysite; img-src https://mysite https://mysecondsite"
    }
  ]
}
Mozilla's documentation on CSP
Our implementation